Single-use password generation

ABSTRACT

A request for password generation is received from a host system. In response to receiving the request, a password derivation key is generated based on a key derivation seed. A password is derived from the password derivation key, and a wrapping key is derived from the password. The wrapping key is used to wrap an authorization state indication, which is stored in local memory. Encrypted data is generated based on an encryption of the key derivation seed using an asymmetric encryption key. The encrypted data is provided in response to the request.

TECHNICAL FIELD

Embodiments of the disclosure relate generally to memory sub-systems,and more specifically, relate to single-use password generation for usein memory sub-systems.

BACKGROUND

A memory sub-system can be a storage system, such as a solid-state drive(SSD), and can include one or more memory components that store data.The memory components can be, for example, non-volatile memorycomponents and volatile memory components. In general, a host system canutilize a memory sub-system to store data at the memory components andto retrieve data from the memory components.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure will be understood more fully from the detaileddescription given below and from the accompanying drawings of variousembodiments of the disclosure.

FIG. 1 illustrates an example computing environment that includes amemory sub-system, in accordance with some embodiments of the presentdisclosure.

FIG. 2 is a data flow diagram illustrating interactions betweencomponents in a secure communication environment in performing anexample method for generation and use of a single-use password, inaccordance with some embodiments of the present disclosure.

FIGS. 3A and 3B are swim lane diagrams illustrating interactions betweencomponents in the secure communication environment in performing anexample method for single-use password generation and authentication, inaccordance with some embodiments of the present disclosure.

FIG. 4 is a block diagram illustrating components of a password objectthat is generated in accordance with some embodiments of the presentdisclosure.

FIGS. 5-7 are flow diagrams illustrating an example method forsingle-use password generation and authentication in a memorysub-system, in accordance with some embodiments of the presentdisclosure.

FIGS. 8A-8C are flow diagrams illustrating an example authenticationsession process, in accordance with some embodiments of the presentdisclosure.

FIG. 9 is a block diagram of an example computer system in whichembodiments of the present disclosure may operate.

DETAILED DESCRIPTION

Aspects of the present disclosure are directed to single-use passwordgeneration and authentication in a memory sub-system. A memorysub-system is also hereinafter referred to as a “memory device.” Anexample of a memory sub-system is a storage system, such as a SSD. Insome embodiments, the memory sub-system is a hybrid memory/storagesub-system. In general, a host system can utilize a memory sub-systemthat includes one or more memory components. The host system can providedata to be stored at the memory sub-system and can request data to beretrieved from the memory sub-system. A memory sub-system controllertypically receives commands or operations from the host system andconverts the commands or operations into instructions or appropriatecommands to achieve the desired access to the memory components of thememory sub-system.

A memory sub-system may store confidential, proprietary, or othersensitive information that should only be accessed by specificallyauthorized users such as field engineers. As an example of suchinformation, a memory sub-system may maintain and store a debug log thatincludes information regarding operation of the memory sub-system thatmay be used to diagnose and correct problems occurring on the memorysub-system. In many instances, this type of sensitive information needsto be communicated to an external computing machine (e.g., server)operated by personnel who are authorized to access the information. Withconventional memory sub-systems, both the retrieval of the informationfrom the memory sub-system and communication of the information to theexternal computing machine are vulnerable to snooping because of a lackof security protocols. These security vulnerabilities of conventionalmemory sub-systems may result in unauthorized access of sensitiveinformation included therein.

Public Key Infrastructure (PKI) is often used in these communications tocryptographically sign and verify sensitive information, and in thismanner, trust of origin and the capability to detect unauthorizedmodification can be derived.

Example uses of PKI include firmware signing and verification as well asauthorization of commands that may compromise security of a memorysub-system. In certain implementations, a public key of an asymmetricencryption key pair is maintained by a memory sub-system to performverification processes while the private key is secured by a hardwaresecurity module (HSM) of a secure system that is external to andindependent of the memory sub-system.

Rivest-Shamir-Adleman (RSA) PKI operations allow for encryption anddecryption operations. Data encrypted by the public key can only bedecrypted by the corresponding private key. If this private key issecured at the external secure system, the memory sub-system can encryptsensitive information that may be exported from the memory sub-systemand transported to the secure system through an unsecured channel fordecryption at the secure system. To facilitate this communication of theencrypted sensitive information, a user, often a field applicationengineer (FAE), must access a proprietary network, either directly orthrough a virtual private network, to communicate with the securesystem. However, in certain environments in which memory sub-systems aredeployed, it is not possible to access an external network. The networkaccess limitations of these environments present a difficult challengein securely unlocking and interrogating memory sub-systems (e.g., fordebug purpose).

Aspects of the present disclosure address the above and otherdeficiencies by implementing a secure mechanism for generating asingle-use password at a memory sub-system. Although the password itselfis not stored at the memory sub-system, information from which thepassword may be derived is securely transferred to a secure server forregeneration of the password. Once the password is regenerated from theinformation by the secure server, it is returned to a requesting user(e.g., a FAE) who may use it to unlock the memory sub-system or executeprivileged commands.

Consistent with some embodiments, an asymmetric key pair comprising apublic key and a private key is generated, and a memory sub-systemcontroller is provisioned with the public key to encrypt sensitiveinformation. A secure server is provisioned with the private key todecrypt the sensitive information. A host system may request generationof a password from the memory sub-system, and the memory sub-systemresponds with a password regeneration object that includes encrypteddata comprising a key derivation seed from which a password may bederived. A security component of the memory sub-system uses the publickey to generate the encrypted data. Since only the secure server has theprivate key, only the secure server may access the key derivation seedand derive the password therefrom. Accordingly, a user of the hostsystem may forward the password object to the secure server as part of apassword regeneration request, and the secure server, in turn, decryptsthe encrypted data using the private key, and uses the key derivationseed to derive the password, which is returned in response to therequest.

In some embodiments, the security component of the memory sub-systemgenerates the key derivation seed using a random or pseudo-random numbergenerator and derives a password derivation key from the key derivationseed using a key derivation function (KDF). The security component usesa password derivation function (PDF) to derive a password from thepassword derivation key. The security component uses a password-basedkey derivation function (PBKDF) to derive a wrapping key from thepassword to wrap an authorization/unlock state indication. The securitycomponent stores the wrapped authorization/unlock state indication,rather than the password itself, in local memory. The security componentuses the public key to generate encrypted data that includes the keyderivation seed and generates a password derivation object that includesthe encrypted data. The password object is provided in response to therequest.

Upon receiving the password object in response to the request, a user ofthe host system may submit a password regeneration request that includesthe password object to the secure server. The secure server uses thecorresponding private key to decrypt the encrypted data in the passwordobject. The secure server uses the KDF to derive the password derivationkey from the key derivation seed included in the decrypted data, and thesecure server uses the PDF to derive the password from the passwordderivation key. The secure server provides the password in response tothe password regeneration request. Upon receiving the password, the usermay unlock the memory sub-system using the password. After being used tounlock the memory sub-system, the password may never be used again.Hence, the password may only be used once.

Utilizing the security protocol described above reduces vulnerabilitiesin the communication of sensitive information that is present inconventional memory sub-systems by preventing access of sensitiveinformation by unauthorized parties. For example, at worst, only theencrypted data, rather than the raw data, may be accessed via snooping.Additionally, the security protocol provides a secure mechanism forauthorized personnel to securely access sensitive information from amemory sub-system.

FIG. 1 illustrates an example computing environment 100 that includes amemory sub-system 110, in accordance with some embodiments of thepresent disclosure. The memory sub-system 110 can include media, such asmemory components 112-1 to 112-N. The memory components 112-1 to 112-Ncan be volatile memory components, non-volatile memory components, or acombination of such. In some embodiments, the memory sub-system 110 is astorage system. An example of a storage system is a SSD. In someembodiments, the memory sub-system 110 is a hybrid memory/storagesub-system. In general, the computing environment 100 can include a hostsystem 120 that uses the memory sub-system 110. For example, the hostsystem 120 can write data to the memory sub-system 110 and read datafrom the memory sub-system 110.

The host system 120 can be a computing device such as a desktopcomputer, laptop computer, network server, mobile device, or suchcomputing device that includes a memory and a processing device. Thehost system 120 can include or be coupled to the memory sub-system 110so that the host system 120 can read data from or write data to thememory sub-system 110. The host system 120 can be coupled to the memorysub-system 110 via a physical host interface. As used herein, “coupledto” generally refers to a connection between components, which can be anindirect communicative connection or direct communicative connection(e.g., without intervening components), whether wired or wireless,including connections such as electrical, optical, magnetic, and thelike. Examples of a physical host interface include, but are not limitedto, a serial advanced technology attachment (SATA) interface, aperipheral component interconnect express (PCIe) interface, a universalserial bus (USB) interface, a Fibre Channel interface, a Serial AttachedSCSI (SAS), and so forth. The physical host interface can be used totransmit data between the host system 120 and the memory sub-system 110.The host system 120 can further utilize an NVM Express (NVMe) interfaceto access the memory components 112-1 to 112-N when the memorysub-system 110 is coupled with the host system 120 by the PCIeinterface. The physical host interface can provide an interface forpassing control, address, data, and other signals between the memorysub-system 110 and the host system 120.

The memory components 112-1 to 112-N can include any combination of thedifferent types of non-volatile memory components and/or volatile memorycomponents. An example of non-volatile memory components includes anegative- and (NAND)-type flash memory. Each of the memory components112-1 to 112-N can include one or more arrays of memory cells such assingle-level cells (SLCs) or multi-level cells (MLCs) (e.g.,triple-level cells (TLCs) or quad-level cells (QLCs)). In someembodiments, a particular memory component can include both an SLCportion and an MLC portion of memory cells. Each of the memory cells canstore one or more bits of data (e.g., data blocks) used by the hostsystem 120. Although non-volatile memory components such as NAND-typeflash memory are described, the memory components 112-1 to 112-N can bebased on any other type of memory such as a volatile memory. In someembodiments, the memory components 112-1 to 112-N can be, but are notlimited to, random access memory (RAM), read-only memory (ROM), dynamicrandom access memory (DRAM), synchronous dynamic random access memory(SDRAM), phase change memory (PCM), magneto random access memory (MRAM),negative-or (NOR) flash memory, electrically erasable programmableread-only memory (EEPROM), and a cross-point array of non-volatilememory cells. A cross-point array of non-volatile memory cells canperform bit storage based on a change of bulk resistance in conjunctionwith a stackable cross-gridded data access array. Additionally, incontrast to many flash-based memories, cross-point non-volatile memorycan perform a write-in-place operation, where a non-volatile memory cellcan be programmed without the non-volatile memory cell being previouslyerased. Furthermore, as noted above, the memory cells of the memorycomponents 112-1 to 112-N can be grouped as data blocks that can referto a unit of the memory component used to store data.

A memory sub-system controller 115 (hereinafter referred to as a“controller”) can communicate with the memory components 112-1 to 112-Nto perform operations such as reading data, writing data, or erasingdata at the memory components 112-1 to 112-N and other such operations.The controller 115 can include hardware such as one or more integratedcircuits and/or discrete components, a buffer memory, or a combinationthereof. The controller 115 can be a microcontroller, special-purposelogic circuitry (e.g., a field-programmable gate array (FPGA), anapplication-specific integrated circuit (ASIC), etc.), or anothersuitable processor. The controller 115 can include a processor(processing device) 117 configured to execute instructions stored inlocal memory 119. In the illustrated example, the local memory 119 ofthe controller 115 includes an embedded memory configured to storeinstructions for performing various processes, operations, logic flows,and routines that control operation of the memory sub-system 110,including handling communications between the memory sub-system 110 andthe host system 120. In some embodiments, the local memory 119 caninclude memory registers storing memory pointers, fetched data, etc. Thelocal memory 119 can also include ROM for storing micro-code. While theexample memory sub-system 110 in FIG. 1 has been illustrated asincluding the controller 115, in another embodiment of the presentdisclosure, a memory sub-system 110 may not include a controller 115,and may instead rely upon external control (e.g., provided by anexternal host, or by a processor or controller separate from the memorysub-system).

In general, the controller 115 can receive commands or operations fromthe host system 120 and can convert the commands or operations intoinstructions or appropriate commands to achieve the desired access tothe memory components 112-1 to 112-N. The controller 115 can beresponsible for other operations such as wear leveling operations,garbage collection operations, error detection and error-correcting code(ECC) operations, encryption operations, caching operations, and addresstranslations between a logical block address and a physical blockaddress that are associated with the memory components 112-1 to 112-N.The controller 115 can further include host interface circuitry tocommunicate with the host system 120 via the physical host interface.The host interface circuitry can convert the commands received from thehost system 120 into command instructions to access the memorycomponents 112-1 to 112-N as well as convert responses associated withthe memory components 112-1 to 112-N into information for the hostsystem 120.

The memory sub-system 110 can also include additional circuitry orcomponents that are not illustrated. In some embodiments, the memorysub-system 110 can include a cache or buffer (e.g., DRAM) and addresscircuitry (e.g., a row decoder and a column decoder) that can receive anaddress from the controller 115 and decode the address to access thememory components 112-1 to 112-N.

The memory sub-system 110 also includes a security component 113 thatfacilitates secure communication with the memory sub-system 110. Thesecurity component 113 may be included in the controller 115 or any oneor more of the memory components 112-1 to 112-N. In some embodiments,the controller 115 includes at least a portion of the security component113. For example, the controller 115 can include the processor 117(processing device) configured to execute instructions stored in thelocal memory 119 for performing the operations described herein. In someembodiments, the security component 113 is part of the host system 120,an application, or an operating system.

The security component 113 is responsible for generating passwordobjects and authorizing access to data stored by the memory sub-system110 based on passwords derived therefrom. More specifically, thesecurity component 113 generates password objects from which single-usepasswords may be derived. Each single-use password may be used only onceto unlock the memory sub-system 110. The passwords themselves are notstored by the security component 113 or any other component of thememory sub-system 110. Rather, the security component 113 generates andstores data to which a password may be compared to verify that thecorrect password is being used. After a password is used to unlock thememory sub-system 110, the underlying data used to verify the passwordis discarded.

The security component 113 receives requests for password generationfrom the host system 120 and provides the host system 120 with apassword object in response thereto. The password object includesencrypted data comprising a key derivation seed from which a passwordderivation key may be derived and used to derive a password. Thesecurity component 113 may further include a key store 109 to store oneor more encryption keys used by the security component 113 to encryptinformation. In some embodiments, the key store 109 is implementedwithin a local memory of the memory sub-system controller 115 (e.g., thelocal memory 119). In some embodiments, the key store 109 is implementedwithin one or more of the memory components 112-1 to 112-N.

The security component 113 also receives authentication requests foraccessing the memory sub-system 110. Each authentication requestincludes a password, which may be provided to a user of the host system120 (e.g., a field engineer) by a secure server that is responsible forderiving the password from a password object generated by the securitycomponent 113. The security component 113 compares the password tostored information to determine whether the password is correct, and ifso, the security component 113 provides an unlock/authorizationindication, unlocks the memory sub-system 110, and discards the storedinformation used to determine whether the password is correct.

The security component 113 may communicate with the host system 120 viathe physical host interface or a native sideband communication port(e.g., a Universal Asynchronous Receiver/Transmitter (UART) port orother serial communication port that supports two-way communication)that may be specially configured as a diagnostic or maintenance port.

FIG. 2 is a data flow diagram illustrating interactions betweencomponents in a secure communication environment in performing anexample method for generation and use of a single-use password, inaccordance with some embodiments of the present disclosure. In thecontext of FIG. 2, an asymmetric encryption key pair—a public key and aprivate key—may be pre-generated, and the security component 113 may beprovisioned with the public key to encrypt data, while a secure server200 is provisioned with the private key to decrypt the data.

As shown, at 202, the host system 120 sends a request for passwordgeneration. In response to the request, the security component 113 ofthe controller 115 generates a password object. The password object doesnot itself include a password nor does the security component 113 storethe password itself. Instead, the password object comprises encrypteddata generated using the public key, and the encrypted data comprises akey derivation seed from which a password derivation key may be derivedand used to derive a password.

At 204, the controller 115 responds to the request from the host system120 with the password object, and at 206 a user 201 of the host system120 (e.g., a FAE) in turn provides the password object as part of apassword regeneration request to the secure server 200 capable ofdecrypting the encrypted data. The secure server 200, in turn, decryptsthe encrypted data and derives the password derivation key from the keyderivation seed. The secure server 200 then derives a password 210 fromthe password derivation key, and at 208, the secure server 200 providesthe password 210 (e.g., back to the host system 120 or the user 201 ofthe host system 120) in response to the password regeneration request.

As will be discussed further below, the user 201 of the host system 120may use the password a single time to unlock the memory sub-system 110.As noted above, the security component 113 does not store the passworditself. Instead, the security component 113 also derives a wrapping keyfrom the password and uses the wrapping key to wrap an authorizationindication. The wrapped authorization indication is stored by thesecurity component 113 (e.g., in the local memory 119) and may beunwrapped with an unwrapping key derived from the password upon thesecurity component 113 receiving the password in an authenticationrequest. Assuming that the password initially derived by the securitycomponent 113 matches the password provided in the authenticationrequest, the unwrapping key will be identical to the wrapping key, andthus capable of unwrapping the wrapped authorization indication. Uponthe security component 113 successfully unwrapping the wrappedauthorization indication, the authorization indication is provided andthe memory sub-system 110 enters an unlocked state. After the passwordis used to unlock the memory sub-system 110, the wrapped datacorresponding to the password is discarded.

FIGS. 3A and 3B are swim lane diagrams illustrating interactions betweencomponents in the secure communication environment in performing anexample method 300 for single-use password generation andauthentication, in accordance with some embodiments. As shown in FIG.3A, the method 300 begins at operation 302 where the host system 120sends a request for password generation to the security component 113 ofthe controller 115. In response to receiving the request, the securitycomponent 113 generates, at operation 304, a password derivation keyusing a key derivation function (KDF) (e.g., a hash-based messageauthentication code (HMAC) derivation). The KDF derives the passwordderivation key from a key derivation seed using a deterministic randombit generator (DRBG) function. The key derivation seed comprises arandom or pseudo-random value generated using a random or pseudo-randomnumber generator.

At operation 306, the security component 113 derives a password from thepassword derivation key using a password derivation function (PDF) Thesecurity component 113 generates a wrapping key based on the passwordusing a password-based key derivation function (PBKDF) (e.g., PBKDF1 orPBKDF2), at operation 308. The security component 113, at operation 310,uses the wrapping key to wrap an authorization state indication, whichis stored in a local memory (e.g., internal SRAM) of the controller 115.The security component 113 may use one of many known wrapping mechanismsto wrap the authorization state indication using the wrapping key. Thestored wrapped data is discarded after a successful authentication anddoes not survive a reboot or reset of the memory sub-system 110.

At operation 312, the security component 113 generates encrypted datausing a public key (e.g., an asymmetric encryption key generated as partof a key pair using an RSA algorithm and stored in the key store 109).The encrypted data includes the key derivation seed among other data,which is discussed further below. At operation 314, the securitycomponent 113 generates a password object based on the encrypted data.The security component 113 may generate the password object byconcatenating the encrypted data with an object header. At operation316, the security component 113 responds to the request from the hostsystem 120 with the password object. Prior to providing the passwordobject to the host system 120, the security component 113 may encode thepassword object or a portion thereof using a binary-to-text encodingscheme such as BASE64, for example.

The host system 120 is not provisioned with a corresponding private key,and thus, the host system 120 is unable to decrypt the encrypted data inthe password object. Accordingly, upon receiving the password object,the host system 120 or a user of the host system 120 (e.g., a FAE) sendsthe password object to the secure server 200 as part of a passwordregeneration request, at operation 318.

The secure server 200 maintains the private key corresponding to thepublic key used to generate the encrypted data included in the passwordobject. Thus, the secure server 200 is capable of decrypting theencrypted data. Accordingly, upon receiving the password object, thesecure server 200 decrypts the encrypted data, at operation 320, usingthe private key. The public key may be included in the password objectand used as a handle to identify the appropriate private keyrepresentation. In embodiments in which the password object or a portionthereof is encoded, the secure server 200 may decode the password objector the portion prior to decryption using the private key.

Upon decrypting the encryption data, the secure server 200 uses the KDFto derive the password derivation key from the key derivation seed, atoperation 322. At operation 324, the secure server 200 uses the PDF toderive the password from the password derivation key. At operation 326,the secure server 200 provides the password to the host system 120 inresponse to the password regeneration request. A FAE or other personnelmay then use the password to unlock the memory sub-system 110.

For example, as shown in FIG. 3B, at operation 328, the host system 120provides an authentication request to the security component 113. Theauthentication request includes the password supplied to the host system120 at operation 326. Upon receiving the password, the securitycomponent 113 uses the PBKDF to derive an unwrapping key from thepassword, at operation 330. Assuming that the password is correct, theunwrapping key is identical to the wrapping key used to wrap theauthorization state indication (at operation 310). At operation 332, thesecurity component 113 unwraps the wrapped authorization stateindication stored in local memory using the unwrapping key. At operation334, the security component 113 provides the authorization stateindication based on a successful unwrapping of the authorization stateindication, and at operation 336, the security component 113 unlocks thememory sub-system 110. At operation 338, the security component 113discards the wrapped data based on use of the password. In this way, thepassword cannot be used again to unlock the memory sub-system 110.

FIG. 4 is a block diagram illustrating components of a password object400 that is generated in accordance with some embodiments of the presentdisclosure. As shown, the password object 400 comprises an object header402 and encrypted data 404. The object header 402 includes multiplefields comprising information about the password object 400 such as anidentifier, a size, a version, a protection scheme, password keyattributes, a password key length, and a public key.

The encrypted data 404 includes optimal asymmetric encryption padding(OAEP) 406, binary data 408, and a hash 410 of the binary data 408. Thehash 410 is generated by providing the binary data 408 as input to acryptographic hash function such as the Secure Hash Algorithm 256(SHA256).

The binary data 408 includes multiple fields such as a version 412, awrap type 414, options 416, a password length 418, a timestamp 420,device information 422, a key derivation seed 424, and a scramble key426. The version 412, wrap type 414, options 416, password length 418,timestamp 420, and device information 422 fields may be collectivelyreferred to herein as “non-random fields,” as the fields are filled withnon-random values. Conversely, the key derivation seed 424 and thescramble key 426 may be collectively referred to as “random fields,” asthese fields are filled with random values.

The version 412 field is used to specify the version of password objectstructure being used. The version 412 field may be used to determinecompatibility between the object producer and the consumer. The wraptype 414 field is used to specify a wrapped object type and is used todistinguish between different wrapped objects.

The options 416 field is used to specify optional configurationinformation in the password object 400 and may implicitly definerequirements for processing. For example, the options 416 field may beused to indicate that the timestamp 420 field is set, which may be usedto implement an expiration time limit on the password object 400. Asanother example, the options 416 field may be used to indicate thatadditional optional seed data is to be used as part of the passwordderivation key derivation process. As yet another example, the options416 field may be used to indicate that the KDF is a single HMACderivation.

The password length 418 field is used to specify the length of thepassword being used (e.g., in bytes). The length may be configured perprogram or may be a range determined at random by the memory sub-system110. The timestamp 420 field contains information regarding when thepassword object 400 was created. The device information 422 fieldcontains device-specific information that can be used to identify whichmemory sub-system 110 created the password object 400.

The key derivation seed 424 is used to derive a password derivation key.The key derivation seed 424 is generated by the memory sub-system 110using a DRBG function. The scramble key 426 may be used to obfuscatevalues in the non-random fields as well as the key derivation seed 424to further protect against known answer attacks on data. The securitycomponent 113 also generates the scramble key 426 using the DRBGfunction used to generate the key derivation seed 424.

As shown in FIG. 4, the key derivation seed 424 is provided as input toa KDF 428 to produce a password derivation key 430. As illustrated inFIG. 4, in some embodiments, optional supplemental text 432 (e.g.,supplied by the user 201) may be provided along with the key derivationseed 424 as input to the KDF 428 to produce the password derivation key430. The security component 113 uses a PDF 434 to derive a password 436from the password derivation key 430.

FIGS. 5-7 are flow diagrams illustrating an example method 500 forsingle-use password generation and authentication in a memorysub-system, in accordance with some embodiments of the presentdisclosure. The method 500 can be performed by processing logic that caninclude hardware (e.g., a processing device, circuitry, dedicated logic,programmable logic, microcode, hardware of a device, an integratedcircuit, etc.), software (e.g., instructions run or executed on aprocessing device), or a combination thereof. In some embodiments, themethod 500 is performed by the security component 113 of FIG. 1.Although processes are shown in a particular sequence or order, unlessotherwise specified, the order of the processes can be modified. Thus,the illustrated embodiments should be understood only as examples, andthe illustrated processes can be performed in a different order, andsome processes can be performed in parallel. Additionally, one or moreprocesses can be omitted in various embodiments. Thus, not all processesare required in every embodiment. Other process flows are possible.

At operation 505, the processing device receives a request for passwordgeneration. The request may be received from the host system 120. Insome embodiments, receiving the request includes receiving one or morecommands from the host system via a host system interface. In someembodiments, receiving the request includes receiving the request fromthe host system via a communication port (e.g., a UART port or otherserial communication port that supports two-way communication). Thecommunication port, may be a native port specifically configured fordiagnostic or maintenance purposes.

At operation 510, the processing device generates a password derivationkey based on a key derivation seed. The processing device uses a KDF toderive the password derivation key from at least the key derivationseed. For example, the processing device may utilize a HMAC derivationfunction to derive the password derivation key. The key derivation seedis a random or pseudo-random value generated by the processing deviceusing, for example, a DRBG function. Consistent with some embodiments,the output of the KDF is a 256-bit symmetric key, which corresponds tothe password derivation key. It shall be noted that the passwordderivation key is not stored by the memory sub-system 110. The passwordderivation key is only derived by the memory sub-system 110 or thesecure server 200 from the key derivation seed.

In some embodiments, optional supplemental data provided by the hostsystem 120 may be incorporated into the password derivation keyderivation process by appending it to the key derivation seed. Theoptional supplemental data provided by the host system 120 may, forexample, comprise text generated by a user. Consistent with theseembodiments, the processing device may use the KDF to derive thepassword derivation key from the combination of the key derivation seedand the supplemental data.

At operation 515, the processing device derives a password from thepassword derivation key. For example, the processing device may utilizethe PDF in deriving the password from the password derivation key.Similar to the password derivation key, the derived password is notitself stored by the memory sub-system 110.

The processing device generates a wrapping key based on the passwordusing a PBKDF (e.g., PBKDF1 or PBKDF2) as shown in operation 520. Forexample, the processing device may provide the password to the PBKDF andthe output of the PBKDF may be the wrapping key. At operation 525, theprocessing device wraps an authorization state indication using thewrapping key. The processing device may utilize one of many knownwrapping techniques to wrap the authorization state indication (e.g.based on the AES key wrap specification or American Standards CommitteeANSX9.102 specification). The authorization state indication may beprovided by the security component 113 upon receiving the password in anauthentication request. The exact definition and use of theauthorization state indication may be program-specific and may depend oncapabilities of the memory sub-system 110. The authorization stateindication comprises information on the interface that was used tosubmit the password generation request at operation 505 (e.g., UART,host interface, or port, number for multi-port enabled systems). In someembodiments, the authorization state indication may be used to enforce astrict password generation and authorization interface coherency, inimplementations where authorization capability is allowed on the sameinterface.

As shown at operation 530, the processing device stores the wrappedauthorization state indication in a local memory (e.g., the local memory119). For example, the processing device may store the wrappedauthorization state indication in SRAM.

Thereafter, the processing device generates encrypted data based on anencryption of the key derivation seed using an asymmetric encryption key(see operation 535). The generating of the encrypted data comprisesencrypting binary data (e.g., the binary data 408) and a hash of thebinary data (e.g., the hash 410), where the binary data includes the keyderivation seed among other information. The asymmetric encryption keyis a public key generated as part of a key pair using the RSA algorithmand provisioned to the processing device. Accordingly, the processingdevice may encrypt the binary data and the hash of the binary data usingRSA encryption.

At operation 540, the processing device generates a password object(e.g., the password object 400) based on the encrypted data. Thegenerating of the password object may comprise concatenating theencrypted data with an object header. Further details regarding anexample password object are addressed above in reference to FIG. 4.

The processing device provides the password object in response to therequest, at operation 545. For example, the processing device may returnthe password object to the host system 120 in response to a requestreceived from the host system 120.

As shown in FIG. 6, the method 500 may, in some embodiments, include anyone or more of operations 605, 610, 615, 620, 625, 630, 635, and 640.Consistent with these embodiments, the operations 605, 610, and 615 maybe performed subsequent to operation 505 where the processing devicereceives the request for password generation.

As shown, at operation 605, the processing device constructs an objectheader (e.g., the object header 402) for the password object. The objectheader includes multiple fields comprising information about thepassword object such as an identifier, a size, a version, a protectionscheme, password key attributes, a password key length, and the publicasymmetric encryption key used to generate the encrypted data.

The processing device generates the key derivation seed (see operation610). The key derivation seed is a random or pseudo-random valuegenerated by the processing device using a DRBG function.

As shown at operation 615, the processing device generates a scramblekey. The scramble key is also a random or pseudo-random value generatedby the processing device using the DRBG function.

Consistent with these embodiments, the operations 620, 625, 630, and 635may be performed as part (e.g., sub-operations) of 540, where theprocessing device generates the password object. At operation 620, theprocessing devices sets values in one or more non-random data fields ofthe password object. As noted above, the non-random data fields mayinclude a version field (e.g., 412), a wrap type field 414), an optionsfield (e.g., 416), a password length field (e.g., 418), a timestampfield (e.g., 420), and a device information field (e.g., 422).

The processing device, at operation 625, scrambles one or more datafields of the password object using the scramble key. For example, theprocessing device may scramble the non-random values in the non-randomfields and/or the key derivation seed to protect against known answerattacks on the data. The processing device may scramble the data usingexclusive OR (XOR) logic with the scramble key and data as input.

The processing device generates a hash of the key derivation seed, thescramble key, and the values of the non-random data fields (seeoperation 630). The processing device uses a cryptographic hash functionto generate the hash. For example, the processing device may use SHA-256to generate the hash. At operation 635, the processing deviceconcatenates the encrypted data with the object header. In someembodiments, the operation 625 may be omitted. That is, the non-randomdata fields may not be scrambled prior to generating the hash.Consistent with these embodiments, the processing device generates ahash of the key derivation seed and unscrambled values for thenon-random fields.

Consistent with these embodiments, operation 640 may be performedsubsequent to operation 540, where the processing device generates thepassword object. At operation 640, the processing device encodes thepassword object using a binary-to-text encoding scheme (e.g., BASE64).The encoded format is intended to facilitate retrieval of the binarydata over multiple interfaces (e.g., UART). The encoding may beimplementation- and/or program-specific based on the type of transportrequired. In essence, the encoding of the password object converts thepassword object to a format suitable for export from the memorysub-system 110 for external processing and suitable for transport over avariety of mechanisms including email. In some embodiments, the encodeddata may be bracketed with a descriptive notation indicating the startand end of the encoded data.

As shown in FIG. 7, the method 500 may, in some embodiments, includeoperations 705, 710, 715, 720, and 725. Consistent with theseembodiments, the operations 705, 710, 715, 720, and 725 may be performedsubsequent to operation 545 where the processing device provides thepassword object in response to the password generation request. Morespecifically, the operations 705, 710, 715, 720, and 725 may beperformed subsequent to a user submitting the password object providedto the host system 120 at operation 545 to a secure server (e.g., thesecure server 200) as part of a password regeneration request, andreceiving a response from the secure server that includes the password.

As shown at operation 705, the processing device receives anauthentication request comprising the password. The request may bereceived from the host system 120. In some embodiments, receiving therequest includes receiving one or more commands from the host system viaa host system interface. In some embodiments, receiving the requestincludes receiving the request from the host system via a communicationport (e.g., a UART port or other serial communication port that supportstwo-way communication). As noted above, the password may be received bya user of the host system 120 from a secure server in response to apassword regeneration request.

The processing device derives an unwrapping key from the password usingthe PBKDF (see operation 710). Assuming that the password supplied aspart of the authentication request is the same password derived atoperation 515, the unwrapping key will be identical to the wrapping keyused to wrap the authorization state indication. Otherwise, theauthentication request fails.

At operation 715, the processing device unwraps the authorization stateindication using the unwrapping key. At operation 720, the processingdevice provides an authorization state indication based on theunwrapping of the authorization state indication.

The processing device, at operation 725, discards the wrapped data basedon successful unwrapping. In this way, the password may not be usedagain to unlock the memory sub-system 110.

FIGS. 8A-8C are flow diagrams illustrating an example authenticationsession process 800, in accordance with some embodiments of the presentdisclosure. The process 800 can be performed by processing logic thatcan include hardware a processing device, circuitry, dedicated logic,programmable logic, microcode, hardware of a device, an integratedcircuit, etc.), software (e.g., instructions run or executed on aprocessing device), or a combination thereof. In some embodiments, theprocess 800 is performed by the security component 113 of FIG. 1.Although processes are shown in a particular sequence or order, unlessotherwise specified, the order of the processes can be modified. Thus,the illustrated embodiments should be understood only as examples, andthe illustrated processes can be performed in a different order, andsome processes can be performed in parallel. Additionally, one or moreprocesses can be omitted in various embodiments. Thus, not all processesare required in every embodiment. Other process flows are possible.

At operation 802, the processing device accesses a variable (“AUTHREQUIRED”) that indicates whether authentication is required to unlockthe memory sub-system 110. The variable has three possible values:“TRUE,” “FALSE,” and “PENDING.” If the variable is set to “FALSE,” noauthentication is required and the processing device enters a successfulauthentication state, at operation 804.

Otherwise, at operation 806, the processing device determines whetherthe variable is set to “PENDING.” If the variable is set to “PENDING,”the processing device increments a password retry counter, at operation808. The password retry counter comprises a count of attempted uses of apassword in an authentication session. Upon incrementing the passwordretry counter, the processing device determines whether the passwordretry counter has reached a predetermined maximum allowed value (“Max”),at operation 810. If the password retry counter has reached thepredetermined maximum allowed value, the processing device clears anauthorization session timer, at operation 812. The authorization sessiontimer comprises a program-specific counter that indicates a timeoutvalue (e.g., in seconds) before an active authorization session expires.Upon clearing the timer, the processing device sets the variable to“TRUE” (at operation 814) and discards wrapped data comprising anauthorization state indication (at operation 816). The processing devicethereafter enters a failed authentication state at operation 818. If thepassword retry counter has not reached the maximum allowable value atoperation 810, the processing device performs operation 830, which isdiscussed below.

Returning to the determination at operation 806, if the variable is notset to “PENDING,” the processing device determines, at operation 820,whether an authentication retry counter has reached a predeterminedmaximum allowed value (“Max”). The authentication retry countercomprises a count of authentication attempts during the authenticationsession. If the authentication retry counter has reached thepredetermined maximum allowed value, the processing device enters thefailed authentication state at operation 818.

Otherwise, the processing device increments the authentication retrycounter and sets the variable to “PENDING” at operation 822. Atoperation 824, the processing device initializes the authenticationsession timer. At operation 826, the processing device generates apassword object and stores a wrapped unlock/authorization stateindication in local memory, in the manner discussed above. At operation828, the processing device clears the password retry counter and outputsthe password object to the host system 120.

As shown at operation 830, the processing device checks whether aresponse has been received from the host system 120. Specifically, theprocessing device determines whether a password has been received fromthe host system 120, at operation 832. If no password has been received,the processing device checks whether another command was received fromthe host system 120, at operation 834. If a command has been received,the processing device clears the authentication session timer, atoperation 812, and continues to operation 814 and so forth. If nocommand has been received, the processing device determines whether theauthentication session timer has expired, at operation 836. If the timerhas not expired, the processing device performs operation 830. If thetimer has expired, the processing device sets the variable to “TRUE” atoperation 814.

If a password is received at operation 832, the processing device usesthe PBKDF to derive an unwrapping key from the password, at operation838. At operation 840, the processing device attempts to unwrap thewrapped authorization indication using the unwrapping key. If theunwrapping is unsuccessful, the processing device increments thepassword retry counter at operation 808 and proceeds as illustrated anddescribed above. An unsuccessful unwrapping indicates that an incorrectpassword was received at operation 832. If the unwrapping is successful,the processing device outputs the authorization state indication andsets the variable to “FALSE” (at operation 842). The processing devicethereafter enters a successful authentication state (at operation 804).

EXAMPLES

Example 1 is a system comprising: a memory component; and a processingdevice, operatively coupled with the memory component, to performoperations comprising: receiving, from a host system, a request forpassword generation; in response to receiving the request, generating apassword derivation key based on a key derivation seed; deriving apassword from the password derivation key; generating a wrapping keybased on the password; wrapping an authorization state indication usingthe wrapping key; storing the wrapped authorization state indication inthe memory component; generating, using an asymmetric encryption key,encrypted data based on an encryption of the key derivation seed; andproviding a response to the request comprising the encrypted data.

In Example 2, the operations of Example 1 optionally further comprise:receiving an authentication request comprising the password; deriving anunwrapping key from the password; unwrapping the wrapped authorizationstate indication using the unwrapping key; and providing, in response tothe authentication request, the authorization state indication based onthe unwrapping.

In Example 3, the operations of Examples 1 or 2 optionally furthercomprise: generating a password object based on the encrypted data, thepassword object comprising: an object header and the encrypted data; andproviding the password object in response to the request.

In Example 4, the operations of any one of Examples 1-3 optionallycomprise constructing an object header; and concatenating the encrypteddata and the object header to form the password object.

In Example 5, the operations of any one of Examples 1-4 optionallyfurther comprise generating a scramble key using a random orpseudo-random number generator; and scrambling one or more fields of thepassword object using the scramble key.

In Example 6, the operations of any one of Examples 1-5 optionallyfurther comprise encoding the password object using a binary-to-textencoding scheme prior to providing the password object in the response.

In Example 7, the operations of any one of Examples 1-6 optionallycomprises encrypting binary data and a hash of the binary data, thebinary data comprising: one or more non-random data fields, the keyderivation seed, and a scramble key.

In Example 8, the operations of any one of Examples 1-7 optionallyfurther comprise: using a key derivation function to generate thepassword derivation key; using a password derivation function to derivethe password; and using a password based key derivation function togenerate the wrapping key.

In Example 9, the subject matter of any one of Examples 1-8 optionallycomprises a key derivation seed comprising a random or seudo-randomnumber generated by a random or pseudo-random number generator.

In Example 10, the operations of any one of Examples 1-9 optionallyfurther comprise generating the password derivation key based onsupplemental data provided by the host system.

Example 11 is a method comprising: receiving, from a host system, arequest for password generation; in response to receiving the request,generating, by at least one processor of a memory sub-system controller,a password derivation key based on a key derivation seed; deriving, byat least one processor of the memory sub-system controller, a passwordfrom the password derivation key; generating, by at least one processorof the memory sub-system controller, a wrapping key based on thepassword; wrapping, by at least one processor of the memory sub-systemcontroller, an authorization state indication using the wrapping key;storing the wrapped authorization state indication in a memory of thememory sub-system controller; generating, by at least one processor ofthe memory sub-system controller, encrypted data based on an encryptionof the key derivation seed using an asymmetric encryption key; andproviding, by at least one processor of the memory sub-systemcontroller, a response to the request to the host system, the requestcomprising the encrypted data.

In Example 12, the subject matter of Example 11 optionally comprises:receiving an authentication request comprising the password; deriving anunwrapping key from the password; unwrapping the wrapped authorizationstate indication using the unwrapping key; and providing, in response tothe authentication request, the authorization state indication based onthe unwrapping.

In Example 13, the subject matter of any one of Examples 11 or 12optionally comprises generating a password object based on the encrypteddata, the password object comprising: an object header and the encrypteddata; and providing the password object in response to the request.

In Example 14, the subject matter of any one of Examples 11-13optionally comprises: constructing an object header; and concatenatingthe encrypted data and the object header to form the password object.

In Example 15, the subject matter of any one of Examples 11-14optionally comprises the generating the password derivation key using akey derivation function; deriving the password using a passwordderivation; and generating the wrapping key comprises using a passwordbased key derivation function.

In Example 16, the subject matter of any one of Examples 11-15optionally comprises: encoding the password object using abinary-to-text encoding scheme prior to providing the password object inthe response.

In Example 17, the subject matter of any one of Examples 11-16optionally comprises: encrypting binary data and a hash of the binarydata, the binary data comprising: one or more non-random data fields,and the key derivation seed.

In Example 18, the subject matter of any one of Examples 11-17optionally comprises: generating a hash of binary data using acryptographic hash function.

In Example 19, the subject matter of any one of Examples 11-18optionally comprises: the key derivation seed comprising a random orpseudo-random number generated by a random or pseudo-random numbergenerator.

Example 20 is a non-transitory computer-readable storage mediumcomprising instructions that, when executed by a processing device,configures the processing device to perform operations comprising:receiving, from a host system, a request for password generation; inresponse to receiving the request, generating a password derivation keybased on a key derivation seed; deriving a password from the passwordderivation key; generating a wrapping key based on the password;wrapping an authorization state indication using the wrapping key;storing the wrapped authorization state indication in a local memory;generating, using an asymmetric encryption key, encrypted data based onan encryption of the key derivation seed; and providing a response tothe request comprising the encrypted data.

Machine Architecture

FIG. 9 illustrates an example machine in the form of a computer system900 within which a set of instructions, for causing the machine toperform any one or more of the methodologies discussed herein, can beexecuted. In some embodiments, the computer system 900 can correspond toa host system (e.g., the host system 120 of FIG. 1) that includes, iscoupled to, or utilizes a memory sub-system (e.g., the memory sub-system110 of FIG. 1) or can be used to perform the operations of a controller(e.g., to execute an operating system to perform operationscorresponding to the security component 113 of FIG. 1). In alternativeembodiments, the machine can be connected (e.g., networked) to othermachines in a local area network (LAN), an intranet, an extranet, and/orthe Internet. The machine can operate in the capacity of a server or aclient machine in client-server network environment, as a peer machinein a peer-to-peer (or distributed) network environment, or as a serveror a client machine in a cloud computing infrastructure or environment.

The machine can be a personal computer (PC), a tablet PC, a set-top box(STB), a Personal Digital Assistant (PDA), a cellular telephone, a webappliance, a server, a network router, a switch or bridge, or anymachine capable of executing a set of instructions (sequential orotherwise) that specify actions to be taken by that machine. Further,while a single machine is illustrated, the term “machine” shall also betaken to include any collection of machines that individually or jointlyexecute a set (or multiple sets) of instructions to perform any one ormore of the methodologies discussed herein.

The example computer system 900 includes a processing device 902, a mainmemory 904 (e.g., ROM, flash memory, DRAM such as SDRAM or Rambus DRAM(RDRAM), etc.), a static memory 906 (e.g., flash memory, static randomaccess memory (SRAM), etc.), and a data storage system 918, whichcommunicate with each other via a bus 930.

The processing device 902 represents one or more general-purposeprocessing devices such as a microprocessor, a central processing unit,or the like. More particularly, the processing device 902 can be acomplex instruction set computing (CISC) microprocessor, a reducedinstruction set computing (RISC) microprocessor, a very long instructionword (VLIW) microprocessor, a processor implementing other instructionsets, or processors implementing a combination of instruction sets. Theprocessing device 902 can also be one or more special-purpose processingdevices such as an ASIC, an FPGA, a digital signal processor (DSP), anetwork processor, or the like. The processing device 902 is configuredto execute instructions 926 for performing the operations and stepsdiscussed herein. The computer system 900 can further include a networkinterface device 908 to communicate over a network 920.

The data storage system 918 can include a machine-readable storagemedium 924 (also known as a computer-readable medium) on which is storedone or more sets of instructions 926 or software embodying any one ormore of the methodologies or functions described herein. Theinstructions 926 can also reside, completely or at least partially,within the main memory 904 and/or within the processing device 902during execution thereof by the computer system 900, the main memory 904and the processing device 902 also constituting machine-readable storagemedia. The machine-readable storage medium 924, data storage system 918,and/or main memory 904 can correspond to the memory sub-system 110 ofFIG. 1.

In one embodiment, the instructions 926 include instructions toimplement functionality corresponding to a security component (e.g., thesecurity component 113 of FIG. 1). While the machine-readable storagemedium 924 is shown in an example embodiment to be a single medium, theterm “machine-readable storage medium” should be taken to include asingle medium or multiple media that store the one or more sets ofinstructions. The term “machine-readable storage medium” shall also betaken to include any medium that is capable of storing or encoding a setof instructions for execution by the machine and that cause the machineto perform any one or more of the methodologies of the presentdisclosure. The term “machine-readable storage medium” shall accordinglybe taken to include, but not be limited to, solid-state memories,optical media, and magnetic media.

Some portions of the preceding detailed descriptions have been presentedin terms of algorithms and symbolic representations of operations ondata bits within a computer memory. These algorithmic descriptions andrepresentations are the ways used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of operations leading to adesired result. The operations are those requiring physicalmanipulations of physical quantities. Usually, though not necessarily,these quantities take the form of electrical or magnetic signals capableof being stored, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. The presentdisclosure can refer to the action and processes of a computer system,or similar electronic computing device, that manipulates and transformsdata represented as physical (electronic) quantities within the computersystem's registers and memories into other data similarly represented asphysical quantities within the computer system's memories or registersor other such information storage systems.

The present disclosure also relates to an apparatus for performing theoperations herein. This apparatus can be specially constructed for theintended purposes, or it can include a general-purpose computerselectively activated or reconfigured by a computer program stored inthe computer. Such a computer program can be stored in acomputer-readable storage medium, such as, but not limited to, any typeof disk including floppy disks, optical disks, CD-ROMs, andmagnetic-optical disks; ROMs; RAMs; erasable programmable read-onlymemories (EPROMs); EEPROMs; magnetic or optical cards; or any type ofmedia suitable for storing electronic instructions, each coupled to acomputer system bus.

The algorithms and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general-purposesystems can be used with programs in accordance with the teachingsherein, or it can prove convenient to construct a more specializedapparatus to perform the method. The structure for a variety of thesesystems will appear as set forth in the description above. In addition,the present disclosure is not described with reference to any particularprogramming language. It will be appreciated that a variety ofprogramming languages can be used to implement the teachings of thedisclosure as described herein.

The present disclosure can be provided as a computer program product, orsoftware, that can include a machine-readable medium having storedthereon instructions, which can be used to program a computer system (orother electronic devices) to perform a process according to the presentdisclosure. A machine-readable medium includes any mechanism for storinginformation in a form readable by a machine (e.g., a computer). In someembodiments, a machine-readable (e.g., computer-readable) mediumincludes a machine-readable (e.g., a computer-readable) storage mediumsuch as a ROM, a RAM, magnetic disk storage media, optical storagemedia, flash memory components, and so forth.

In the foregoing specification, embodiments of the disclosure have beendescribed with reference to specific example embodiments thereof. Itwill be evident that various modifications can be made thereto withoutdeparting from the broader spirit and scope of embodiments of thedisclosure as set forth in the following claims. The specification anddrawings are, accordingly, to be regarded in an illustrative senserather than a restrictive sense.

What is claimed is:
 1. A system comprising: a memory component; and aprocessing device, operatively coupled with the memory component, toperform operations comprising: receiving, from a host system, a requestfor password generation; in response to receiving the request,generating a password derivation key based on a key derivation seedcomprising a random or pseudo-random number generated by a random orpseudo-random number generator; deriving a password from the passwordderivation key; generating a wrapping key based on the password;wrapping an authorization state indication using the wrapping key;storing the wrapped authorization state indication in the memorycomponent; generating, using an asymmetric encryption key, encrypteddata based on an encryption of the key derivation seed used to derivethe password, the generating of the encrypted data comprises encryptingbinary data and a hash of the binary data, the binary data comprisingthe key derivation seed used to derive the password; and providing aresponse to the request comprising the encrypted data.
 2. The system ofclaim 1, wherein the operations further comprise: receiving anauthentication request comprising the password; deriving an unwrappingkey from the password; unwrapping the wrapped authorization stateindication using the unwrapping key; and providing, in response to theauthentication request, the authorization state indication based on theunwrapping.
 3. The system of claim 1, Wherein: the operations furthercomprise generating a password object based on the encrypted data, thepassword object comprising: an object header and the encrypted data; andthe response comprises the password object.
 4. The system of claim 3,wherein the generating of the password object comprises: constructingthe object header; and concatenating the encrypted data and the object,header to form the password object.
 5. The system of claim 3, whereinthe operations further comprise: generating a scramble key using arandom or pseudo-random number generator; and scrambling one or morefields of the password object using the scramble key.
 6. The system ofclaim 3, wherein the operations further comprise encoding the passwordobject using a binary-to-text encoding scheme prior to providing thepassword object in the response.
 7. The system of claim 1, wherein thebinary data further comprises one or more non-random data fields.
 8. Thesystem of claim 1, wherein: the processing device uses a key derivationfunction to generate the password derivation key; the processing deviceuses a password derivation function to derive the password; and theprocessing device uses a password based key derivation function togenerate the wrapping key.
 9. The system of claim 8, wherein: theoperations further comprise receiving supplemental text from a user; andthe generating of the key derivation seed comprises using the keyderivation seed and the supplemental text from the user as a seed forthe key derivation function.
 10. The system of claim 1, wherein theprocessing device comprises a memory sub-system controller.
 11. A methodcomprising: receiving, from a host system, a request for passwordgeneration; in response to receiving the request, generating, by atleast one processor of a memory sub-system controller, a passwordderivation key based on a key derivation seed comprising a random orpseudo-random number generated by a random or pseudo-random numbergenerator; deriving, by at least one processor of the memory sub-systemcontroller, a password from the password derivation key; generating, byat least one processor of the memory sub-system controller, a wrappingkey based on the password; wrapping, by at least one processor of thememory sub-system controller, an authorization state indication usingthe wrapping key; storing the wrapped authorization state indication ina memory of the memory sub-system controller; generating, by at leastone processor of the memory sub-system controller using an asymmetricencryption key, encrypted data based on an encryption of the keyderivation seed used to derive the password, the generating of theencrypted data comprises encrypting binary data and a hash of the binarydata, the binary data comprising the key derivation seed used to derivethe password; and providing, by at least one processor of the memorysub-system controller, a response to the request to the host system, therequest comprising the encrypted data.
 12. The method of claim 11,further comprising: receiving an authentication request comprising thepassword; deriving an unwrapping key from the password; unwrapping thewrapped authorization state indication using the unwrapping key; andproviding, in response to the authentication request, the authorizationstate indication based on the unwrapping.
 13. The method of claim 11,wherein: the method further comprises generating a password object basedon the encrypted data, the password object comprising: an object headerand the encrypted data; and the response comprises the password object.14. The method of claim 13, wherein the generating of the passwordobject comprises: constructing the object header; and concatenating theencrypted data and the object header to form the password object. 15.The method of claim 11, wherein: the generating of the passwordderivation key comprises using a key derivation function to generate thepassword derivation key; the deriving of the password comprises using apassword derivation function to derive the password; and the generatingof the wrapping key comprises using a password based key derivationfunction to generate the wrapping key.
 16. The method of claim 13,further comprising encoding the password object using a binary-to-textencoding scheme prior to providing the password object in the response.17. The method of claim 11, wherein the binary data further comprisesone or more non-random data fields.
 18. The method of claim 17, furthercomprising: generating the hash of the binary data using a cryptographichash function.
 19. The method of claim 11, wherein: the method furthercomprises receiving supplemental text from a user; and the generating ofthe key derivation seed comprises using the key derivation seed and thesupplemental text from the user as a seed for a key derivation function.20. A non-transitory computer-readable storage medium comprisinginstructions that, when executed by a processing device, configure theprocessing device to perform operations comprising: receiving, from ahost system, a request for password generation; in response to receivingthe request, generating a password derivation key based on a keyderivation seed comprising a random or pseudo-random number generated bya random or pseudo-random number generator; deriving a password from thepassword derivation key; generating a wrapping key based on thepassword; wrapping an authorization state indication using the wrappingkey; storing the wrapped authorization state indication in a localmemory; generating, using an asymmetric encryption key, encrypted databased on an encryption of the key derivation seed used to derive thepassword, the generating of the encrypted data comprises encryptingbinary data and a hash of the binary data, the binary data comprisingthe key derivation seed used to derive the password; and providing aresponse to the request comprising the encrypted data.